Changing (normal) user email without verification

(Stephen) #1

You’ve probably got first-hand experience of the kind of situation. A senior stakeholder who wants something done without any intervention on their part. In this case a senior user wants their associated email address changed, and made it clear to the support team they weren’t to be disturbed until it was done.

They’re a standard user, as an administrator I can trigger the same email change that they would make, but I can’t authorize that change myself, it sends the usual message to the new mailbox- which is useless.

On this occasion I used rails c to make the necessary change, but for sites which don’t have SSO should this be strictly necessary with standard users?

(Jeff Atwood) #2

So edit the database directly, which you’re already doing? Not sure what the question is?

(Stephen) #3

I understand the need to email accounts when altering accounts that have any degree of power to moderate or administer, but preventing an administrator from altering an email address (and forcing them to SSH into a server) feels OTT.

As an administrator of active directory I can use the normal gui tools to change pretty much anything, from the Google Apps domains I administer again very little is restricted, but for some reason Discourse doesn’t allow an administrator to change a user attribute.

(Jeff Atwood) #4

It’d be a massive security hole, if we did. Our obligations as an open source project with freely distributable code are quite high.

(Stephen) #5

Why massive?

The obligations are to protect PII, the email address is already exposed to administrators. You’ve acknowledged that someone with rails access can alter the database directly- I’m not suggesting that all moderators should be able to do this, but maybe it makes sense for Administrators to be able to make administrative changes without getting their hands in the guts of the database.

If the purpose of an administrator being able to update an email address at all is because an old email account has been lost, then there’s nothing stopping an email that isn’t in control of the user being specified. Someone acting out of malice still has the fallback of dropping into rails. It has the feel of the anti-piracy notice on a blu-ray, getting in the way of people doing stuff legitimately.

(Jay Pfaffman) #6

You’ve changed their email address. It doesn’t seem like a huge pain for them to click a “yes, this is my email address” link in email. It keeps you from accidentally switching to some email address that’s not theirs. My wife regularly gets email for wedding planning, announcing that a kid is a the YMCA, and so on because someone with a similar gmail address can’t type. It was really, really, hard to get the YMCA to stop sending mail about little Pat being at after school care (I had to look up a phone number and the person that I talked to didn’t seem to know who to contact to fix the problem) .

Requiring people to validate their email address seems like a really good idea.

I’m pretty sure that Google Apps makes you verify an email address before you start forwarding mail there.

(Stephen) #7

Sure, to move data off-platform a user has to confirm that they own the destination, just as Discourse emails out backup links. OTOH as an administrator if I go in and change any of the profile options associated with account recovery including backup email, phone number, etc, the user isn’t even notified. I can add aliases to accounts, rename accounts, nothing requires user approval.

Preventing admins from changing email addresses is security by obscurity at best, if an admin is acting maliciously you’re already well past the point of no-return. There’s more risk of an admin screwing up something in the rails console by forcing them down that avenue than risk to an installation by allowing them to perform simple administrative tasks.